Research 30
- Ghost in the PPL Part 3: LSASS Memory Dump
- Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
- Ghost in the PPL Part 1: BYOVDLL
- Extracting PEAP Credentials from Wired Network Profiles
- A Deep Dive into TPM-based BitLocker Drive Encryption
- Bypassing PPL in Userland (again)
- Debugging Protected Processes
- The End of PPLdump
- Revisiting a Credential Guard Bypass
- From RpcView to PetitPotam
- Fuzzing Windows RPC with RpcView
- Bypassing LSA Protection in Userland
- An Unconventional Exploit for the RpcEptMapper Registry Key Vulnerability
- Windows RpcEptMapper Service Insecure Registry Permissions EoP
- Windows .Net Core SDK Elevation of Privilege
- CVE-2020-1170 - Microsoft Windows Defender Elevation of Privilege Vulnerability
- Chimichurri Reloaded - Giving a Second Life to a 10-year old Windows Vulnerability
- PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019
- Windows Server 2008R2-2019 NetMan DLL Hijacking
- CVE-2020-0863 - An Arbitrary File Read Vulnerability in Windows Diagnostic Tracking Service
- CVE-2020-0787 - Windows BITS - An EoP Bug Hidden in an Undocumented RPC Function
- CVE-2020-0668 - A Trivial Privilege Escalation Bug in Windows Service Tracing
- CDPSvc DLL Hijacking - From LOCAL SERVICE to SYSTEM
- Give Me Back My Privileges! Please?
- Weaponizing Privileged File Writes with the USO Service - Part 2/2
- Weaponizing Privileged File Writes with the USO Service - Part 1/2
- VBA RunPE - Breaking Out of Highly Constrained Desktop Environments - Part 2/2
- VBA RunPE - Breaking Out of Highly Constrained Desktop Environments - Part 1/2
- CVE-2019-19544 - CA Dollar Universe 5.3.3 'uxdqmsrv' - Privilege Escalation via a Vulnerable SUID Binary
- CVE-2017-13130 - BMC Patrol 'mcmnm' - Privilege Escalation via a Vulnerable SUID Binary